microsoft-identity-web icon indicating copy to clipboard operation
microsoft-identity-web copied to clipboard

Published 20 hours ago verified publisher icon AzureAD

[Question] How to manipulate (remove/add/change) claims from user (Cookie authentication based) after sign in process

Open henriquebelotto opened this issue 3 years ago • 5 comments

Hello,

I have an app that uses MS Identity Web and Azure AD B2C to authenticate users. One of the features that we have is user impersonation. So, an admin can log in, using a different Azure policy, and inform what is the member ID that the admin wants to impersonate. The user's ID is stored in the Cookie, during the "OnTokenValidated" event. This works fine. Now, they want the admin to be able to switch the user, without signing out and in again. So, my idea, was to replace the user ID in the claims. I tried so many different approaches that I saw in the web, but none of them seems to work.

Please, could someone provide me some idea about how to do that? (If that's even possible)?

Thank you very much

henriquebelotto avatar Jul 02 '21 20:07 henriquebelotto

@henriquebelotto.

You can add claims (See https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/8c3aef9ef5963501efba76151cd1891ebc7e8b90/5-WebApp-AuthZ/5-2-Groups/Startup.cs#L51), but not change the identity.

Did you think of using multiple authentication scheme ? https://github.com/AzureAD/microsoft-identity-web/wiki/multiple-authentication-schemes

jmprieur avatar Jul 03 '21 15:07 jmprieur

@jmprieur Thank you for your reply, but my issue is a bit different.

We have this impersonation feature, where an administrator, during the signing in Azure AD B2C informs which members is going to be impersonated. So, we store that information in the claim. Now, I need to be able to replace this information in the claim, after the authentication cookie has been created (the administrator has already logged in and wants to try a different person). I tried all the approaches that people described here https://stackoverflow.com/questions/24587414/how-to-update-a-claim-in-asp-net-identity But it didn't work. Especially because when I send the user to "signin again", like this await HttpContext.SignInAsync( CookieAuthenticationDefaults.AuthenticationScheme, new ClaimsPrincipal(HttpContext.User.Identity)); The administrator user is being sent to the wrong authentication policy. (I have two sign in policies in Azure AD B2C, one for regular users and one for Administrators).

I also tried this approach https://visualstudiomagazine.com/articles/2019/11/01/authorization-claims.aspx

But, it only adds a new identity to the current identity. Also, this function is called in every request and could potentially slow down things.

In summay, what I want is the following: 1- Administrator signed in with some claims; 2- Authentication cookie has been created and is being used; 3- Administrator wants to impersonate another user, so I need to replace values in the cookie (claims) 4- Replace the claim by the new values and create a new authentication cookie.

Is it possible to do it?

Thank you

henriquebelotto avatar Jul 05 '21 14:07 henriquebelotto

Any update on this? I have literally the exact same requirement and the exact same problem.

Updating the claims and then calling SignInAsync worked perfectly before when I was using Microsoft.AspNetCore.Authentication.AzureAD.UI; but then I was forced to upgrade to microsoft.identity.web due to deprecated/upgrade warnings and now this approach no longer works. I have spent days trying to come up with a workaround, but I'm frustrated to say that I have not had any success.

JordanMarr avatar Apr 26 '22 16:04 JordanMarr

@JordanMarr Did you see https://docs.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-6.0#create-an-authentication-cookie ? Do you use the right authentication scheme?

jmprieur avatar Apr 27 '22 00:04 jmprieur

@JordanMarr Did you see https://docs.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-6.0#create-an-authentication-cookie ? Do you use the right authentication scheme?

I used the cookies scheme created via AddMicrosoftIdentityWebApp:

  services
      .AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
          .AddMicrosoftIdentityWebApp(cfg.GetSection("AzureAd"), openIdConnectScheme =  AuthScheme, cookieScheme = "AzCookies")
          |> ignore

And then later when I want to add the claims to the already authenticated User, I do this:

            // Add claims
            identity.AddClaim(impersonatedEmailClaim)
            identity.AddClaim(impersonatedUsernameClaim)
        
            // Recreate user identity / cookie
            do! ctx.SignInAsync("AzCookies", new ClaimsPrincipal(identity))

The problem is that after doing this my claims seem to get overwritten again and the added claims disappear.

JordanMarr avatar May 01 '22 23:05 JordanMarr